Hi John,
On 6/19/22 19:30, John Levine wrote:
It appears that libor.peltan <libor.pel...@nic.cz> said:
Alternatively, we may say that the RFC8078 bootstrapping is deprecated,
but still, it doesn't mean that we replace it.
That seems reasonable. Does anyone actually do the current TOFU-ish bootstrap?
Yes: https://github.com/oskar456/cds-updates
Do no longer suggest NSEC-walking Signaling Domains. (It does not
work well due to the Signaling Type prefix. What's more, it's unclear
who would do this: Parents know there delegations and can do a
targeted scan; others are not interested.)
There's still a reference to NSEC walking in the penultimate paragraph in sec
3.3.
Yes; the paragraph there names a precaution that needs to be considered when
doing in NSEC walk. I think it should stay, even when NSEC walking is not
suggested as a discovery method.
I think it's still worth a suggestion in the trigger section that
operators allow AXFR of the signal information. While probing is just
as fast if there are only a few domains delegated to a NS, there are
name servers that have hundreds of thousands or millions of delegated
names.
How about the following, inserted between the 2nd and the 3rd bullet in Section
3.3:
* The Parental Agent encounters a Signaling Record during an NSEC
walk or upon zone transfer of a Signaling Zone;
Thanks,
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
